US Secret Service probed after sensitive files left on Metro train

Filed Under: Data loss, Featured, Law & order, Privacy, Security threats

A contractor working for the US Secret Service walked onto a Washington, DC Metro train carrying two tapes full of extremely sensitive data. He got off at his stop carrying neither.

A few years later, the US Secret Service is under investigation for what's being described as the "immense breach".

Washington DC metro train. Image from Shutterstock

The tapes contained personal information about all agency employees, contacts and overseas informants, according to Fox News, which interviewed multiple law enforcement and congressional sources for the story.

The extremely sensitive personal data included Social Security Numbers, home addresses, information about family members, phone numbers, dates of birth, medical information, bank account numbers, employment information, driver's license numbers, passport numbers, and biometric information - all of which were secured only with "very basic encryption", according to Fox News who quoted a Secret Service source with knowledge of the incident:

"It was very basic encryption. Let's just say it wouldn't take a genius to crack it."

This contradicts the Secret Service's account.

Secret Service spokesman Ed Donovan told Fox News that the data was secured by "multiple layers of security":

"In February of 2008, a contract employee whose function was to maintain, secure and transport this type of information lost two 'back-up' tapes on the DC Metro while transporting them to an off-site facility. These back-up tapes were not marked or identified in any way and were protected by multiple layers of security. They could not be accessed without the proper equipment, applications and encoding."

The Department of Homeland Security Office of Inspector General (DHS-OIG) is investigating the incident.

Secret serviceIt's only one of 13 ongoing investigations into the Secret Service, dubbed "Culture of Secret Service" and launched at the behest of the Senate Homeland Committee following the Cartagena, Colombia prostitution scandal in April.

The DHS-OIG report on the agency's culture is expected in the spring.

The tapes were lost on the Red Line of the Metro in 2008 by a reportedly young, low-ranking employee of a private contracting company hired to transport them from headquarters to a secure vault in Olney, Md., where, Fox says, government agencies store contingency plans, documents and other backup material.

The employee volunteered to drop off the tapes because he lived near the vault, but he got off at the Glenmont, Md., Metro stop without the tapes.

Sources told Fox News that Secret Service failed to follow strict DHS protocols for reporting and responding to privacy incidents involving personally identifying information (PII).

Secret Service officials contacted Metro Transit Police and asked them to keep an eye out for the tapes but filed no police report. Neither did they inform law enforcement or affected staff of the severity of the breach, the sources said - basically, they just whitewashed the incident.

One source told Fox that it's typical for the agency:

"They just covered it up so they wouldn't get in trouble, so they wouldn't be scrutinized for such a huge breach of security... That's why OIG opened up a case on this matter—and the other ones they've opened up are similar in that they show efforts on the part of Secret Service leadership to whitewash security breaches."

At the time of the prostitution scandal, President Obama praised the Secret Service overall, saying that the conduct of "a couple of knuckleheads" shouldn't detract from the agency's good work.

The prospect of losing a backup tape (or two) isn't going away as long as humans are frail, error-prone humans.

Does it reflect a more pervasively weak approach to security?

Let's withhold judgment until the report comes out.

But if the report confirms the allegations of weak encryption on the tapes, failing to follow DHS protocol in properly reporting breaches, and failing to inform the many staff members whose PII was lost, then for shame, Secret Service, for shame.

Washington DC metro train image from Shutterstock.

, , , , , ,

You might like

3 Responses to US Secret Service probed after sensitive files left on Metro train

  1. Gavin · 993 days ago

    To be honest I'm unclear why any organization large enough to have more than one one site would ever be physically shipping tapes around anyway.

    Wouldn't it be a whole lot more secure if a tape library was positioned at whichever backup/archival/disaster recovery site the data was intended to be stored at? You then encrypt the data at source and write it across the network to the destination? Once that's working you write a very stiff policy that says,

    "Thou shalt not ever take these tapes out of this facility, even if you are a knucklehead."

  2. Dan D · 993 days ago

    If you want an accurate story, you might want to ignore Fox News as a source. They aren't known for holding the truth in high regard.

  3. decay · 993 days ago

    [a young low-ranking contract employee "volunteered" to drop off tapes containing extremely sensitive information because he lived near the vault.] Gee. That shouldn't have raised any red flags. Huh?

    Honestly. Strict protocols should have prevented that scenario from ever happening. Forget the fact that the guy "lost" the tapes, they should never have been in his possession to begin with.

    Companies with less sensitive information have their offsite backups transported by reputable "armored car" outfits to their final location, always following strict protocols.

    To say that this was inexcusable (regardless of encryption levels), it is an understatement.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.